When you configure a product to read users/roles from your company LDAP in read-only mode, it does not write any data into the LDAP.
| Info | ||
|---|---|---|
| ||
|
...
User management functionality is provided by default in all WSO2 Carbon-based products and is configured in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file.
...
Given below is a sample for the LDAP user store. This configuration is found in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file, however, you need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using.
| Code Block | ||
|---|---|---|
| ||
<UserManager>
<Realm>
...
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ReadOnly">true</Property>
<Property name="Disabled">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://localhost:10389</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">ou=system</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="ReadGroups">true</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
</Realm>
</UserManager> |
...
Update the connection details to match your user store. For example:
| Code Block | ||
|---|---|---|
| ||
<Property name="ConnectionURL">ldap://localhost:10389</Property> |
...
Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
| Code Block | ||
|---|---|---|
| ||
<Property name="ConnectionName">uid=AdminLDAP,ou=system</Property>
<Property name="ConnectionPassword">2010#Avrudu</Property> |
...
Update <Property name="UserSearchBase"> with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.
| Code Block | ||
|---|---|---|
| ||
<Property name="UserSearchBase">ou=system</Property> |
...
Set the attribute to use as the username, typically either cn or uid for LDAP. Ideally, <Property name="UserNameAttribute"> and <Property name="UserNameSearchFilter"> should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator.
For example:
| Code Block | ||
|---|---|---|
| ||
<Property name="UserNameAttribute">uid</Property> |
...
Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute. The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.
| Code Block | ||
|---|---|---|
| ||
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property> |
...
For the UserName element, set the same username you set for the uid in the connection name configuration in step 4. You do not have to update the password element; leave it as is.
| Code Block | ||
|---|---|---|
| ||
<AdminUser>
<UserName>AdminLDAP</UserName>
<Password>XXXXXX</Password>
</AdminUser> |
...
This file is shipped with user store manager configurations for all possible user store types (JDBC, read-only LDAP/Active Directory, read-write LDAP and read-write Active directory). The instructions given below explains how to configure a read-only LDAP or Active Directory as the primary user store for the WSO2 server.
| Include Page | ||||
|---|---|---|---|---|
|
| Panel | ||
|---|---|---|
| ||
The following topics provide more information on configuring a read-only LDAP user store.
|